[GitHub/mt8127/android_kernel_alcatel_ttab.git] / net / bluetooth / rfcomm / tty.c

/*
   RFCOMM implementation for Linux Bluetooth stack (BlueZ).
   Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
   Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License version 2 as
   published by the Free Software Foundation;

   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
   IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
   CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
   WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

   ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
   COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
   SOFTWARE IS DISCLAIMED.
*/

/*
 * RFCOMM TTY.
 */

#include <linux/module.h>

#include <linux/tty.h>
#include <linux/tty_driver.h>
#include <linux/tty_flip.h>

#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
#include <net/bluetooth/rfcomm.h>

#define RFCOMM_TTY_MAGIC 0x6d02		/* magic number for rfcomm struct */
#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV	/* whole lotta rfcomm devices */
#define RFCOMM_TTY_MAJOR 216		/* device node major id of the usb/bluetooth.c driver */
#define RFCOMM_TTY_MINOR 0

static struct tty_driver *rfcomm_tty_driver;

struct rfcomm_dev {
	struct tty_port		port;
	struct list_head	list;

	char			name[12];
	int			id;
	unsigned long		flags;
	int			err;

	bdaddr_t		src;
	bdaddr_t		dst;
	u8			channel;

	uint			modem_status;

	struct rfcomm_dlc	*dlc;
	wait_queue_head_t       wait;

	struct device		*tty_dev;

	atomic_t		wmem_alloc;

	struct sk_buff_head	pending;
};

static LIST_HEAD(rfcomm_dev_list);
static DEFINE_SPINLOCK(rfcomm_dev_lock);

static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb);
static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);

/* ---- Device functions ---- */

/*
 * The reason this isn't actually a race, as you no doubt have a little voice
 * screaming at you in your head, is that the refcount should never actually
 * reach zero unless the device has already been taken off the list, in
 * rfcomm_dev_del(). And if that's not true, we'll hit the BUG() in
 * rfcomm_dev_destruct() anyway.
 */
static void rfcomm_dev_destruct(struct tty_port *port)
{
	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
	struct rfcomm_dlc *dlc = dev->dlc;

	BT_DBG("dev %p dlc %p", dev, dlc);

	/* Refcount should only hit zero when called from rfcomm_dev_del()
	   which will have taken us off the list. Everything else are
	   refcounting bugs. */
	BUG_ON(!list_empty(&dev->list));

	rfcomm_dlc_lock(dlc);
	/* Detach DLC if it's owned by this dev */
	if (dlc->owner == dev)
		dlc->owner = NULL;
	rfcomm_dlc_unlock(dlc);

	rfcomm_dlc_put(dlc);

	tty_unregister_device(rfcomm_tty_driver, dev->id);

	kfree(dev);

	/* It's safe to call module_put() here because socket still
	   holds reference to this module. */
	module_put(THIS_MODULE);
}

static const struct tty_port_operations rfcomm_port_ops = {
	.destruct = rfcomm_dev_destruct,
};

static struct rfcomm_dev *__rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	list_for_each_entry(dev, &rfcomm_dev_list, list)
		if (dev->id == id)
			return dev;

	return NULL;
}

static struct rfcomm_dev *rfcomm_dev_get(int id)
{
	struct rfcomm_dev *dev;

	spin_lock(&rfcomm_dev_lock);

	dev = __rfcomm_dev_get(id);

	if (dev) {
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			dev = NULL;
		else
			tty_port_get(&dev->port);
	}

	spin_unlock(&rfcomm_dev_lock);

	return dev;
}

static struct device *rfcomm_get_device(struct rfcomm_dev *dev)
{
	struct hci_dev *hdev;
	struct hci_conn *conn;

	hdev = hci_get_route(&dev->dst, &dev->src);
	if (!hdev)
		return NULL;

	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);

	hci_dev_put(hdev);

	return conn ? &conn->dev : NULL;
}

static ssize_t show_address(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%pMR\n", &dev->dst);
}

static ssize_t show_channel(struct device *tty_dev, struct device_attribute *attr, char *buf)
{
	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	return sprintf(buf, "%d\n", dev->channel);
}

static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);

static int rfcomm_dev_add(struct rfcomm_dev_req *req, struct rfcomm_dlc *dlc)
{
	struct rfcomm_dev *dev, *entry;
	struct list_head *head = &rfcomm_dev_list;
	int err = 0;

	BT_DBG("id %d channel %d", req->dev_id, req->channel);

	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
	if (!dev)
		return -ENOMEM;

	spin_lock(&rfcomm_dev_lock);

	if (req->dev_id < 0) {
		dev->id = 0;

		list_for_each_entry(entry, &rfcomm_dev_list, list) {
			if (entry->id != dev->id)
				break;

			dev->id++;
			head = &entry->list;
		}
	} else {
		dev->id = req->dev_id;

		list_for_each_entry(entry, &rfcomm_dev_list, list) {
			if (entry->id == dev->id) {
				err = -EADDRINUSE;
				goto out;
			}

			if (entry->id > dev->id - 1)
				break;

			head = &entry->list;
		}
	}

	if ((dev->id < 0) || (dev->id > RFCOMM_MAX_DEV - 1)) {
		err = -ENFILE;
		goto out;
	}

	sprintf(dev->name, "rfcomm%d", dev->id);

	list_add(&dev->list, head);

	bacpy(&dev->src, &req->src);
	bacpy(&dev->dst, &req->dst);
	dev->channel = req->channel;

	dev->flags = req->flags &
		((1 << RFCOMM_RELEASE_ONHUP) | (1 << RFCOMM_REUSE_DLC));

	tty_port_init(&dev->port);
	dev->port.ops = &rfcomm_port_ops;
	init_waitqueue_head(&dev->wait);

	skb_queue_head_init(&dev->pending);

	rfcomm_dlc_lock(dlc);

	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
		struct sock *sk = dlc->owner;
		struct sk_buff *skb;

		BUG_ON(!sk);

		rfcomm_dlc_throttle(dlc);

		while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
			skb_orphan(skb);
			skb_queue_tail(&dev->pending, skb);
			atomic_sub(skb->len, &sk->sk_rmem_alloc);
		}
	}

	dlc->data_ready   = rfcomm_dev_data_ready;
	dlc->state_change = rfcomm_dev_state_change;
	dlc->modem_status = rfcomm_dev_modem_status;

	dlc->owner = dev;
	dev->dlc   = dlc;

	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);

	rfcomm_dlc_unlock(dlc);

	/* It's safe to call __module_get() here because socket already
	   holds reference to this module. */
	__module_get(THIS_MODULE);

out:
	spin_unlock(&rfcomm_dev_lock);

	if (err < 0)
		goto free;

	dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver,
			dev->id, NULL);
	if (IS_ERR(dev->tty_dev)) {
		err = PTR_ERR(dev->tty_dev);
		list_del(&dev->list);
		goto free;
	}

	dev_set_drvdata(dev->tty_dev, dev);

	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
		BT_ERR("Failed to create address attribute");

	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
		BT_ERR("Failed to create channel attribute");

	return dev->id;

free:
	kfree(dev);
	return err;
}

static void rfcomm_dev_del(struct rfcomm_dev *dev)
{
	unsigned long flags;
	BT_DBG("dev %p", dev);

	BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));

	spin_lock_irqsave(&dev->port.lock, flags);
	if (dev->port.count > 0) {
		spin_unlock_irqrestore(&dev->port.lock, flags);
		return;
	}
	spin_unlock_irqrestore(&dev->port.lock, flags);

	spin_lock(&rfcomm_dev_lock);
	list_del_init(&dev->list);
	spin_unlock(&rfcomm_dev_lock);

	tty_port_put(&dev->port);
}

/* ---- Send buffer ---- */
static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
{
	/* We can't let it be zero, because we don't get a callback
	   when tx_credits becomes nonzero, hence we'd never wake up */
	return dlc->mtu * (dlc->tx_credits?:1);
}

static void rfcomm_wfree(struct sk_buff *skb)
{
	struct rfcomm_dev *dev = (void *) skb->sk;
	struct tty_struct *tty = dev->port.tty;
	atomic_sub(skb->truesize, &dev->wmem_alloc);
	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags) && tty)
		tty_wakeup(tty);
	tty_port_put(&dev->port);
}

static void rfcomm_set_owner_w(struct sk_buff *skb, struct rfcomm_dev *dev)
{
	tty_port_get(&dev->port);
	atomic_add(skb->truesize, &dev->wmem_alloc);
	skb->sk = (void *) dev;
	skb->destructor = rfcomm_wfree;
}

static struct sk_buff *rfcomm_wmalloc(struct rfcomm_dev *dev, unsigned long size, gfp_t priority)
{
	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
		struct sk_buff *skb = alloc_skb(size, priority);
		if (skb) {
			rfcomm_set_owner_w(skb, dev);
			return skb;
		}
	}
	return NULL;
}

/* ---- Device IOCTLs ---- */

#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) | (1 << RFCOMM_RELEASE_ONHUP))

static int rfcomm_create_dev(struct sock *sk, void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dlc *dlc;
	int id;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);

	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
		return -EPERM;

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* Socket must be connected */
		if (sk->sk_state != BT_CONNECTED)
			return -EBADFD;

		dlc = rfcomm_pi(sk)->dlc;
		rfcomm_dlc_hold(dlc);
	} else {
		dlc = rfcomm_dlc_alloc(GFP_KERNEL);
		if (!dlc)
			return -ENOMEM;
	}

	id = rfcomm_dev_add(&req, dlc);
	if (id < 0) {
		rfcomm_dlc_put(dlc);
		return id;
	}

	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
		/* DLC is now used by device.
		 * Socket must be disconnected */
		sk->sk_state = BT_CLOSED;
	}

	return id;
}

static int rfcomm_release_dev(void __user *arg)
{
	struct rfcomm_dev_req req;
	struct rfcomm_dev *dev;

	if (copy_from_user(&req, arg, sizeof(req)))
		return -EFAULT;

	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);

	dev = rfcomm_dev_get(req.dev_id);
	if (!dev)
		return -ENODEV;

	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
		tty_port_put(&dev->port);
		return -EPERM;
	}

	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
		rfcomm_dlc_close(dev->dlc, 0);

	/* Shut down TTY synchronously before freeing rfcomm_dev */
	if (dev->port.tty)
		tty_vhangup(dev->port.tty);

	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
		rfcomm_dev_del(dev);
	tty_port_put(&dev->port);
	return 0;
}

static int rfcomm_get_dev_list(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_list_req *dl;
	struct rfcomm_dev_info *di;
	int n = 0, size, err;
	u16 dev_num;

	BT_DBG("");

	if (get_user(dev_num, (u16 __user *) arg))
		return -EFAULT;

	if (!dev_num || dev_num > (PAGE_SIZE * 4) / sizeof(*di))
		return -EINVAL;

	size = sizeof(*dl) + dev_num * sizeof(*di);

	dl = kzalloc(size, GFP_KERNEL);
	if (!dl)
		return -ENOMEM;

	di = dl->dev_info;

	spin_lock(&rfcomm_dev_lock);

	list_for_each_entry(dev, &rfcomm_dev_list, list) {
		if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
			continue;
		(di + n)->id      = dev->id;
		(di + n)->flags   = dev->flags;
		(di + n)->state   = dev->dlc->state;
		(di + n)->channel = dev->channel;
		bacpy(&(di + n)->src, &dev->src);
		bacpy(&(di + n)->dst, &dev->dst);
		if (++n >= dev_num)
			break;
	}

	spin_unlock(&rfcomm_dev_lock);

	dl->dev_num = n;
	size = sizeof(*dl) + n * sizeof(*di);

	err = copy_to_user(arg, dl, size);
	kfree(dl);

	return err ? -EFAULT : 0;
}

static int rfcomm_get_dev_info(void __user *arg)
{
	struct rfcomm_dev *dev;
	struct rfcomm_dev_info di;
	int err = 0;

	BT_DBG("");

	if (copy_from_user(&di, arg, sizeof(di)))
		return -EFAULT;

	dev = rfcomm_dev_get(di.id);
	if (!dev)
		return -ENODEV;

	di.flags   = dev->flags;
	di.channel = dev->channel;
	di.state   = dev->dlc->state;
	bacpy(&di.src, &dev->src);
	bacpy(&di.dst, &dev->dst);

	if (copy_to_user(arg, &di, sizeof(di)))
		err = -EFAULT;

	tty_port_put(&dev->port);
	return err;
}

int rfcomm_dev_ioctl(struct sock *sk, unsigned int cmd, void __user *arg)
{
	BT_DBG("cmd %d arg %p", cmd, arg);

	switch (cmd) {
	case RFCOMMCREATEDEV:
		return rfcomm_create_dev(sk, arg);

	case RFCOMMRELEASEDEV:
		return rfcomm_release_dev(arg);

	case RFCOMMGETDEVLIST:
		return rfcomm_get_dev_list(arg);

	case RFCOMMGETDEVINFO:
		return rfcomm_get_dev_info(arg);
	}

	return -EINVAL;
}

/* ---- DLC callbacks ---- */
static void rfcomm_dev_data_ready(struct rfcomm_dlc *dlc, struct sk_buff *skb)
{
	struct rfcomm_dev *dev = dlc->owner;

	if (!dev) {
		kfree_skb(skb);
		return;
	}

	if (!skb_queue_empty(&dev->pending)) {
		skb_queue_tail(&dev->pending, skb);
		return;
	}

	BT_DBG("dlc %p len %d", dlc, skb->len);

	tty_insert_flip_string(&dev->port, skb->data, skb->len);
	tty_flip_buffer_push(&dev->port);

	kfree_skb(skb);
}

static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;

	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);

	dev->err = err;
	wake_up_interruptible(&dev->wait);

	if (dlc->state == BT_CLOSED) {
		if (!dev->port.tty) {
			if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
				/* Drop DLC lock here to avoid deadlock
				 * 1. rfcomm_dev_get will take rfcomm_dev_lock
				 *    but in rfcomm_dev_add there's lock order:
				 *    rfcomm_dev_lock -> dlc lock
				 * 2. tty_port_put will deadlock if it's
				 *    the last reference
				 */
				rfcomm_dlc_unlock(dlc);
				if (rfcomm_dev_get(dev->id) == NULL) {
					rfcomm_dlc_lock(dlc);
					return;
				}

				rfcomm_dev_del(dev);
				tty_port_put(&dev->port);
				rfcomm_dlc_lock(dlc);
			}
		} else
			tty_hangup(dev->port.tty);
	}
}

static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
{
	struct rfcomm_dev *dev = dlc->owner;
	if (!dev)
		return;
Commit	Line	Data
8e87d142	1	/*
1da177e4 LT	2	RFCOMM implementation for Linux Bluetooth stack (BlueZ).
	3	Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
	4	Copyright (C) 2002 Marcel Holtmann <marcel@holtmann.org>
	5
	6	This program is free software; you can redistribute it and/or modify
	7	it under the terms of the GNU General Public License version 2 as
	8	published by the Free Software Foundation;
	9
	10	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
	11	OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	12	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
	13	IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
8e87d142 YH	14	CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
	15	WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
	16	ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
1da177e4 LT	17	OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
1da177e4 LT	18
8e87d142 YH	19	ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
8e87d142 YH	20	COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
1da177e4 LT	21	SOFTWARE IS DISCLAIMED.
	22	*/
	23
	24	/*
	25	* RFCOMM TTY.
1da177e4 LT	26	*/
1da177e4 LT	27
1da177e4 LT	28	#include <linux/module.h>
	29
	30	#include <linux/tty.h>
	31	#include <linux/tty_driver.h>
	32	#include <linux/tty_flip.h>
	33
1da177e4	34	#include <net/bluetooth/bluetooth.h>
0a85b964	35	#include <net/bluetooth/hci_core.h>
1da177e4 LT	36	#include <net/bluetooth/rfcomm.h>
1da177e4 LT	37
1da177e4 LT	38	#define RFCOMM_TTY_MAGIC 0x6d02 /* magic number for rfcomm struct */
	39	#define RFCOMM_TTY_PORTS RFCOMM_MAX_DEV /* whole lotta rfcomm devices */
	40	#define RFCOMM_TTY_MAJOR 216 /* device node major id of the usb/bluetooth.c driver */
	41	#define RFCOMM_TTY_MINOR 0
	42
	43	static struct tty_driver *rfcomm_tty_driver;
	44
	45	struct rfcomm_dev {
f60db8c4	46	struct tty_port port;
1da177e4	47	struct list_head list;
1da177e4 LT	48
	49	char name[12];
	50	int id;
	51	unsigned long flags;
1da177e4 LT	52	int err;
	53
	54	bdaddr_t src;
	55	bdaddr_t dst;
285b4e90	56	u8 channel;
1da177e4	57
285b4e90	58	uint modem_status;
1da177e4 LT	59
1da177e4 LT	60	struct rfcomm_dlc *dlc;
1da177e4	61	wait_queue_head_t wait;
1da177e4	62
c1a33136 MH	63	struct device *tty_dev;
c1a33136 MH	64
285b4e90	65	atomic_t wmem_alloc;
a0c22f22 MH	66
a0c22f22 MH	67	struct sk_buff_head pending;
1da177e4 LT	68	};
	69
	70	static LIST_HEAD(rfcomm_dev_list);
393432cd	71	static DEFINE_SPINLOCK(rfcomm_dev_lock);
1da177e4 LT	72
	73	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb);
	74	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err);
	75	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig);
	76
1da177e4	77	/* ---- Device functions ---- */
67054019 JS	78
	79	/*
	80	* The reason this isn't actually a race, as you no doubt have a little voice
	81	* screaming at you in your head, is that the refcount should never actually
	82	* reach zero unless the device has already been taken off the list, in
	83	* rfcomm_dev_del(). And if that's not true, we'll hit the BUG() in
	84	* rfcomm_dev_destruct() anyway.
	85	*/
	86	static void rfcomm_dev_destruct(struct tty_port *port)
1da177e4	87	{
67054019	88	struct rfcomm_dev *dev = container_of(port, struct rfcomm_dev, port);
1da177e4 LT	89	struct rfcomm_dlc *dlc = dev->dlc;
	90
	91	BT_DBG("dev %p dlc %p", dev, dlc);
	92
f951375d DY	93	/* Refcount should only hit zero when called from rfcomm_dev_del()
	94	which will have taken us off the list. Everything else are
	95	refcounting bugs. */
	96	BUG_ON(!list_empty(&dev->list));
8de0a154	97
1da177e4 LT	98	rfcomm_dlc_lock(dlc);
	99	/* Detach DLC if it's owned by this dev */
	100	if (dlc->owner == dev)
	101	dlc->owner = NULL;
	102	rfcomm_dlc_unlock(dlc);
	103
	104	rfcomm_dlc_put(dlc);
	105
	106	tty_unregister_device(rfcomm_tty_driver, dev->id);
	107
1da177e4 LT	108	kfree(dev);
1da177e4 LT	109
8e87d142	110	/* It's safe to call module_put() here because socket still
1da177e4 LT	111	holds reference to this module. */
	112	module_put(THIS_MODULE);
	113	}
	114
67054019 JS	115	static const struct tty_port_operations rfcomm_port_ops = {
	116	.destruct = rfcomm_dev_destruct,
	117	};
1da177e4 LT	118
	119	static struct rfcomm_dev *__rfcomm_dev_get(int id)
	120	{
	121	struct rfcomm_dev *dev;
1da177e4	122
8035ded4	123	list_for_each_entry(dev, &rfcomm_dev_list, list)
1da177e4 LT	124	if (dev->id == id)
1da177e4 LT	125	return dev;
1da177e4 LT	126
	127	return NULL;
	128	}
	129
6039aa73	130	static struct rfcomm_dev *rfcomm_dev_get(int id)
1da177e4 LT	131	{
	132	struct rfcomm_dev *dev;
	133
393432cd	134	spin_lock(&rfcomm_dev_lock);
1da177e4 LT	135
1da177e4 LT	136	dev = __rfcomm_dev_get(id);
8de0a154 VT	137
	138	if (dev) {
	139	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
	140	dev = NULL;
	141	else
67054019	142	tty_port_get(&dev->port);
8de0a154	143	}
1da177e4	144
393432cd	145	spin_unlock(&rfcomm_dev_lock);
1da177e4 LT	146
	147	return dev;
	148	}
	149
0a85b964 MH	150	static struct device rfcomm_get_device(struct rfcomm_dev dev)
	151	{
	152	struct hci_dev *hdev;
	153	struct hci_conn *conn;
	154
	155	hdev = hci_get_route(&dev->dst, &dev->src);
	156	if (!hdev)
	157	return NULL;
	158
	159	conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &dev->dst);
0a85b964 MH	160
	161	hci_dev_put(hdev);
	162
b2cfcd75	163	return conn ? &conn->dev : NULL;
0a85b964 MH	164	}
0a85b964 MH	165
dae6a0f6 MH	166	static ssize_t show_address(struct device tty_dev, struct device_attribute attr, char *buf)
	167	{
	168	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
fcb73338	169	return sprintf(buf, "%pMR\n", &dev->dst);
dae6a0f6 MH	170	}
	171
	172	static ssize_t show_channel(struct device tty_dev, struct device_attribute attr, char *buf)
	173	{
	174	struct rfcomm_dev *dev = dev_get_drvdata(tty_dev);
	175	return sprintf(buf, "%d\n", dev->channel);
	176	}
	177
	178	static DEVICE_ATTR(address, S_IRUGO, show_address, NULL);
	179	static DEVICE_ATTR(channel, S_IRUGO, show_channel, NULL);
	180
1da177e4 LT	181	static int rfcomm_dev_add(struct rfcomm_dev_req req, struct rfcomm_dlc dlc)
1da177e4 LT	182	{
8035ded4	183	struct rfcomm_dev dev, entry;
e57d758a	184	struct list_head *head = &rfcomm_dev_list;
1da177e4 LT	185	int err = 0;
	186
	187	BT_DBG("id %d channel %d", req->dev_id, req->channel);
8e87d142	188
25ea6db0	189	dev = kzalloc(sizeof(struct rfcomm_dev), GFP_KERNEL);
1da177e4 LT	190	if (!dev)
1da177e4 LT	191	return -ENOMEM;
1da177e4	192
393432cd	193	spin_lock(&rfcomm_dev_lock);
1da177e4 LT	194
	195	if (req->dev_id < 0) {
	196	dev->id = 0;
	197
8035ded4 LAD	198	list_for_each_entry(entry, &rfcomm_dev_list, list) {
8035ded4 LAD	199	if (entry->id != dev->id)
1da177e4 LT	200	break;
	201
	202	dev->id++;
e57d758a	203	head = &entry->list;
1da177e4 LT	204	}
	205	} else {
	206	dev->id = req->dev_id;
	207
8035ded4	208	list_for_each_entry(entry, &rfcomm_dev_list, list) {
1da177e4 LT	209	if (entry->id == dev->id) {
	210	err = -EADDRINUSE;
	211	goto out;
	212	}
	213
	214	if (entry->id > dev->id - 1)
	215	break;
	216
e57d758a	217	head = &entry->list;
1da177e4 LT	218	}
	219	}
	220
	221	if ((dev->id < 0) \|\| (dev->id > RFCOMM_MAX_DEV - 1)) {
	222	err = -ENFILE;
	223	goto out;
	224	}
	225
	226	sprintf(dev->name, "rfcomm%d", dev->id);
	227
	228	list_add(&dev->list, head);
1da177e4 LT	229
	230	bacpy(&dev->src, &req->src);
	231	bacpy(&dev->dst, &req->dst);
	232	dev->channel = req->channel;
	233
8e87d142	234	dev->flags = req->flags &
1da177e4 LT	235	((1 << RFCOMM_RELEASE_ONHUP) \| (1 << RFCOMM_REUSE_DLC));
1da177e4 LT	236
f60db8c4	237	tty_port_init(&dev->port);
67054019	238	dev->port.ops = &rfcomm_port_ops;
1da177e4	239	init_waitqueue_head(&dev->wait);
1da177e4	240
a0c22f22 MH	241	skb_queue_head_init(&dev->pending);
a0c22f22 MH	242
1da177e4	243	rfcomm_dlc_lock(dlc);
a0c22f22 MH	244
	245	if (req->flags & (1 << RFCOMM_REUSE_DLC)) {
	246	struct sock *sk = dlc->owner;
	247	struct sk_buff *skb;
	248
	249	BUG_ON(!sk);
	250
	251	rfcomm_dlc_throttle(dlc);
	252
	253	while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
	254	skb_orphan(skb);
	255	skb_queue_tail(&dev->pending, skb);
	256	atomic_sub(skb->len, &sk->sk_rmem_alloc);
	257	}
	258	}
	259
1da177e4 LT	260	dlc->data_ready = rfcomm_dev_data_ready;
	261	dlc->state_change = rfcomm_dev_state_change;
	262	dlc->modem_status = rfcomm_dev_modem_status;
	263
	264	dlc->owner = dev;
	265	dev->dlc = dlc;
8b6b3da7 MH	266
	267	rfcomm_dev_modem_status(dlc, dlc->remote_v24_sig);
	268
1da177e4 LT	269	rfcomm_dlc_unlock(dlc);
1da177e4 LT	270
8e87d142	271	/* It's safe to call __module_get() here because socket already
1da177e4 LT	272	holds reference to this module. */
	273	__module_get(THIS_MODULE);
	274
	275	out:
393432cd	276	spin_unlock(&rfcomm_dev_lock);
1da177e4	277
037322ab IJ	278	if (err < 0)
037322ab IJ	279	goto free;
1da177e4	280
734cc178 JS	281	dev->tty_dev = tty_port_register_device(&dev->port, rfcomm_tty_driver,
734cc178 JS	282	dev->id, NULL);
8de0a154	283	if (IS_ERR(dev->tty_dev)) {
09c7d829	284	err = PTR_ERR(dev->tty_dev);
8de0a154	285	list_del(&dev->list);
037322ab	286	goto free;
8de0a154 VT	287	}
8de0a154 VT	288
dae6a0f6 MH	289	dev_set_drvdata(dev->tty_dev, dev);
	290
	291	if (device_create_file(dev->tty_dev, &dev_attr_address) < 0)
	292	BT_ERR("Failed to create address attribute");
	293
	294	if (device_create_file(dev->tty_dev, &dev_attr_channel) < 0)
	295	BT_ERR("Failed to create channel attribute");
	296
1da177e4	297	return dev->id;
037322ab IJ	298
	299	free:
	300	kfree(dev);
	301	return err;
1da177e4 LT	302	}
	303
	304	static void rfcomm_dev_del(struct rfcomm_dev *dev)
	305	{
f997a01e	306	unsigned long flags;
1da177e4 LT	307	BT_DBG("dev %p", dev);
1da177e4 LT	308
9a5df923 MH	309	BUG_ON(test_and_set_bit(RFCOMM_TTY_RELEASED, &dev->flags));
9a5df923 MH	310
f997a01e JS	311	spin_lock_irqsave(&dev->port.lock, flags);
	312	if (dev->port.count > 0) {
	313	spin_unlock_irqrestore(&dev->port.lock, flags);
9a5df923	314	return;
f997a01e JS	315	}
f997a01e JS	316	spin_unlock_irqrestore(&dev->port.lock, flags);
f951375d	317
393432cd	318	spin_lock(&rfcomm_dev_lock);
f951375d	319	list_del_init(&dev->list);
393432cd	320	spin_unlock(&rfcomm_dev_lock);
f951375d	321
67054019	322	tty_port_put(&dev->port);
1da177e4 LT	323	}
	324
	325	/* ---- Send buffer ---- */
	326	static inline unsigned int rfcomm_room(struct rfcomm_dlc *dlc)
	327	{
	328	/* We can't let it be zero, because we don't get a callback
	329	when tx_credits becomes nonzero, hence we'd never wake up */
	330	return dlc->mtu * (dlc->tx_credits?:1);
	331	}
	332
	333	static void rfcomm_wfree(struct sk_buff *skb)
	334	{
	335	struct rfcomm_dev dev = (void ) skb->sk;
b2c4be39	336	struct tty_struct *tty = dev->port.tty;
1da177e4	337	atomic_sub(skb->truesize, &dev->wmem_alloc);
b2c4be39 JS	338	if (test_bit(RFCOMM_TTY_ATTACHED, &dev->flags) && tty)
b2c4be39 JS	339	tty_wakeup(tty);
67054019	340	tty_port_put(&dev->port);
1da177e4 LT	341	}
1da177e4 LT	342
6039aa73	343	static void rfcomm_set_owner_w(struct sk_buff skb, struct rfcomm_dev dev)
1da177e4	344	{
67054019	345	tty_port_get(&dev->port);
1da177e4 LT	346	atomic_add(skb->truesize, &dev->wmem_alloc);
	347	skb->sk = (void *) dev;
	348	skb->destructor = rfcomm_wfree;
	349	}
	350
dd0fc66f	351	static struct sk_buff rfcomm_wmalloc(struct rfcomm_dev dev, unsigned long size, gfp_t priority)
1da177e4 LT	352	{
	353	if (atomic_read(&dev->wmem_alloc) < rfcomm_room(dev->dlc)) {
	354	struct sk_buff *skb = alloc_skb(size, priority);
	355	if (skb) {
	356	rfcomm_set_owner_w(skb, dev);
	357	return skb;
	358	}
	359	}
	360	return NULL;
	361	}
	362
	363	/* ---- Device IOCTLs ---- */
	364
	365	#define NOCAP_FLAGS ((1 << RFCOMM_REUSE_DLC) \| (1 << RFCOMM_RELEASE_ONHUP))
	366
	367	static int rfcomm_create_dev(struct sock sk, void __user arg)
	368	{
	369	struct rfcomm_dev_req req;
	370	struct rfcomm_dlc *dlc;
	371	int id;
	372
	373	if (copy_from_user(&req, arg, sizeof(req)))
	374	return -EFAULT;
	375
8de0a154	376	BT_DBG("sk %p dev_id %d flags 0x%x", sk, req.dev_id, req.flags);
1da177e4 LT	377
	378	if (req.flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN))
	379	return -EPERM;
	380
	381	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	382	/* Socket must be connected */
	383	if (sk->sk_state != BT_CONNECTED)
	384	return -EBADFD;
	385
	386	dlc = rfcomm_pi(sk)->dlc;
	387	rfcomm_dlc_hold(dlc);
	388	} else {
	389	dlc = rfcomm_dlc_alloc(GFP_KERNEL);
	390	if (!dlc)
	391	return -ENOMEM;
	392	}
	393
	394	id = rfcomm_dev_add(&req, dlc);
	395	if (id < 0) {
	396	rfcomm_dlc_put(dlc);
	397	return id;
	398	}
	399
	400	if (req.flags & (1 << RFCOMM_REUSE_DLC)) {
	401	/* DLC is now used by device.
	402	* Socket must be disconnected */
	403	sk->sk_state = BT_CLOSED;
	404	}
	405
	406	return id;
	407	}
	408
	409	static int rfcomm_release_dev(void __user *arg)
	410	{
	411	struct rfcomm_dev_req req;
	412	struct rfcomm_dev *dev;
	413
	414	if (copy_from_user(&req, arg, sizeof(req)))
	415	return -EFAULT;
	416
8de0a154	417	BT_DBG("dev_id %d flags 0x%x", req.dev_id, req.flags);
1da177e4	418
285b4e90 AE	419	dev = rfcomm_dev_get(req.dev_id);
285b4e90 AE	420	if (!dev)
1da177e4 LT	421	return -ENODEV;
	422
	423	if (dev->flags != NOCAP_FLAGS && !capable(CAP_NET_ADMIN)) {
67054019	424	tty_port_put(&dev->port);
1da177e4 LT	425	return -EPERM;
	426	}
	427
	428	if (req.flags & (1 << RFCOMM_HANGUP_NOW))
	429	rfcomm_dlc_close(dev->dlc, 0);
	430
84950cf0	431	/* Shut down TTY synchronously before freeing rfcomm_dev */
f60db8c4 JS	432	if (dev->port.tty)
f60db8c4 JS	433	tty_vhangup(dev->port.tty);
84950cf0	434
93d80740 DY	435	if (!test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags))
93d80740 DY	436	rfcomm_dev_del(dev);
67054019	437	tty_port_put(&dev->port);
1da177e4 LT	438	return 0;
	439	}
	440
	441	static int rfcomm_get_dev_list(void __user *arg)
	442	{
8035ded4	443	struct rfcomm_dev *dev;
1da177e4 LT	444	struct rfcomm_dev_list_req *dl;
1da177e4 LT	445	struct rfcomm_dev_info *di;
1da177e4 LT	446	int n = 0, size, err;
	447	u16 dev_num;
	448
	449	BT_DBG("");
	450
	451	if (get_user(dev_num, (u16 __user *) arg))
	452	return -EFAULT;
	453
	454	if (!dev_num \|\| dev_num > (PAGE_SIZE * 4) / sizeof(*di))
	455	return -EINVAL;
	456
	457	size = sizeof(dl) + dev_num sizeof(*di);
	458
f9432c5e	459	dl = kzalloc(size, GFP_KERNEL);
285b4e90	460	if (!dl)
1da177e4 LT	461	return -ENOMEM;
	462
	463	di = dl->dev_info;
	464
393432cd	465	spin_lock(&rfcomm_dev_lock);
1da177e4	466
8035ded4	467	list_for_each_entry(dev, &rfcomm_dev_list, list) {
8de0a154 VT	468	if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags))
8de0a154 VT	469	continue;
1da177e4 LT	470	(di + n)->id = dev->id;
	471	(di + n)->flags = dev->flags;
	472	(di + n)->state = dev->dlc->state;
	473	(di + n)->channel = dev->channel;
	474	bacpy(&(di + n)->src, &dev->src);
	475	bacpy(&(di + n)->dst, &dev->dst);
	476	if (++n >= dev_num)
	477	break;
	478	}
	479
393432cd	480	spin_unlock(&rfcomm_dev_lock);
1da177e4 LT	481
	482	dl->dev_num = n;
	483	size = sizeof(dl) + n sizeof(*di);
	484
	485	err = copy_to_user(arg, dl, size);
	486	kfree(dl);
	487
	488	return err ? -EFAULT : 0;
	489	}
	490
	491	static int rfcomm_get_dev_info(void __user *arg)
	492	{
	493	struct rfcomm_dev *dev;
	494	struct rfcomm_dev_info di;
	495	int err = 0;
	496
	497	BT_DBG("");
	498
	499	if (copy_from_user(&di, arg, sizeof(di)))
	500	return -EFAULT;
	501
285b4e90 AE	502	dev = rfcomm_dev_get(di.id);
285b4e90 AE	503	if (!dev)
1da177e4 LT	504	return -ENODEV;
	505
	506	di.flags = dev->flags;
	507	di.channel = dev->channel;
	508	di.state = dev->dlc->state;
	509	bacpy(&di.src, &dev->src);
	510	bacpy(&di.dst, &dev->dst);
	511
	512	if (copy_to_user(arg, &di, sizeof(di)))
	513	err = -EFAULT;
	514
67054019	515	tty_port_put(&dev->port);
1da177e4 LT	516	return err;
	517	}
	518
	519	int rfcomm_dev_ioctl(struct sock sk, unsigned int cmd, void __user arg)
	520	{
	521	BT_DBG("cmd %d arg %p", cmd, arg);
	522
	523	switch (cmd) {
	524	case RFCOMMCREATEDEV:
	525	return rfcomm_create_dev(sk, arg);
	526
	527	case RFCOMMRELEASEDEV:
	528	return rfcomm_release_dev(arg);
	529
	530	case RFCOMMGETDEVLIST:
	531	return rfcomm_get_dev_list(arg);
	532
	533	case RFCOMMGETDEVINFO:
	534	return rfcomm_get_dev_info(arg);
	535	}
	536
	537	return -EINVAL;
	538	}
	539
	540	/* ---- DLC callbacks ---- */
	541	static void rfcomm_dev_data_ready(struct rfcomm_dlc dlc, struct sk_buff skb)
	542	{
	543	struct rfcomm_dev *dev = dlc->owner;
8e87d142	544
a0c22f22	545	if (!dev) {
1da177e4 LT	546	kfree_skb(skb);
	547	return;
	548	}
	549
2e124b4a	550	if (!skb_queue_empty(&dev->pending)) {
a0c22f22 MH	551	skb_queue_tail(&dev->pending, skb);
	552	return;
	553	}
	554
2e124b4a	555	BT_DBG("dlc %p len %d", dlc, skb->len);
1da177e4	556
05c7cd39	557	tty_insert_flip_string(&dev->port, skb->data, skb->len);
2e124b4a	558	tty_flip_buffer_push(&dev->port);
1da177e4 LT	559
	560	kfree_skb(skb);
	561	}
	562
	563	static void rfcomm_dev_state_change(struct rfcomm_dlc *dlc, int err)
	564	{
	565	struct rfcomm_dev *dev = dlc->owner;
	566	if (!dev)
	567	return;
8e87d142	568
1da177e4 LT	569	BT_DBG("dlc %p dev %p err %d", dlc, dev, err);
	570
	571	dev->err = err;
	572	wake_up_interruptible(&dev->wait);
	573
	574	if (dlc->state == BT_CLOSED) {
f60db8c4	575	if (!dev->port.tty) {
1da177e4	576	if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) {
537d59af DY	577	/* Drop DLC lock here to avoid deadlock
	578	* 1. rfcomm_dev_get will take rfcomm_dev_lock
	579	* but in rfcomm_dev_add there's lock order:
	580	* rfcomm_dev_lock -> dlc lock
67054019	581	* 2. tty_port_put will deadlock if it's
537d59af DY	582	* the last reference
	583	*/
	584	rfcomm_dlc_unlock(dlc);
	585	if (rfcomm_dev_get(dev->id) == NULL) {
	586	rfcomm_dlc_lock(dlc);
77f2a45f	587	return;
537d59af	588	}
1da177e4	589
77f2a45f	590	rfcomm_dev_del(dev);
67054019	591	tty_port_put(&dev->port);
537d59af	592	rfcomm_dlc_lock(dlc);
1da177e4	593	}
8e87d142	594	} else
f60db8c4	595	tty_hangup(dev->port.tty);
1da177e4 LT	596	}
	597	}
	598
	599	static void rfcomm_dev_modem_status(struct rfcomm_dlc *dlc, u8 v24_sig)
	600	{
	601	struct rfcomm_dev *dev = dlc->owner;
	602	if (!dev)
	603	return;